45 CFR § 1182.15
Institute responsibility for maintaining adequate technical, physical, and security safeguards to prevent unauthorized disclosure or destruction of manual and automatic record systems
April 14, 2021
CFR

The Chief Information Officer has the responsibility of maintaining adequate technical, physical, and security safeguards to prevent unauthorized disclosure or destruction of manual and automatic record systems. These security safeguards shall apply to all systems in which identifiable personal data are processed or maintained, including all reports and outputs from such systems that contain identifiable personal information. Such safeguards must be sufficient to prevent negligent, accidental, or unintentional disclosure, modification or destruction of any personal records or data, and must furthermore minimize, to the extent practicable, the risk that skilled technicians or knowledgeable persons could improperly obtain access to modify or destroy such records or data and shall further insure against such casual entry by unskilled persons without official reasons for access to such records or data.

(a) Manual systems.

(1) Records contained in a system of records as defined in this part may be used, held, or stored only where facilities are adequate to prevent unauthorized access by persons within or outside the Institute.

(2) All records, when not under the personal control of the employees authorized to use the records, must be stored in a locked filing cabinet. Some systems of records are not of such confidential nature that their disclosure would constitute a harm to an individual who is the subject of such record. However, records in this category also shall be maintained in locked filing cabinets or maintained in a secured room with a locking door.

(3) Access to and use of a system of records shall be permitted only to persons whose duties require such access within the Institute, for routine uses as defined in §1182.2 as to any given system, or for such other uses as may be provided in this part.

(4) Other than for access within the Institute to persons needing such records in the performance of their official duties or routine uses as defined in §1182.1, or such other uses as provided in this part, access to records within a system of records shall be permitted only to the individual to whom the record pertains or upon his or her written request to the General Counsel.

(5) Access to areas where a system of records is stored will be limited to those persons whose duties require work in such areas. There shall be an accounting of the removal of any records from such storage areas utilizing a log, as directed by the Chief Information Officer. The log shall be maintained at all times.

(6) The Institute shall ensure that all persons whose duties require access to and use of records contained in a system of records are adequately trained to protect the security and privacy of such records.

(7) The disposal and destruction of records within a system of records shall be in accordance with rules promulgated by the General Services Administration.

(b) Automated systems.

(1) Identifiable personal information may be processed, stored, or maintained by automated data systems only where facilities or conditions are adequate to prevent unauthorized access to such systems in any form. Whenever such data, whether contained in punch cards, magnetic tapes, or discs, are not under the personal control of an authorized person, such information must be stored in a locked or secured room, or in such other facility having greater safeguards than those provided for in this part.

(2) Access to and use of identifiable personal data associated with automated data systems shall be limited to those persons whose duties require such access. Proper control of personal data in any form associated with automated data systems shall be maintained at all times, including maintenance of accountability records showing disposition of input and output documents.

(3) All persons whose duties require access to processing and maintenance of identifiable personal data and automated systems shall be adequately trained in the security and privacy of personal data.

(4) The disposal and disposition of identifiable personal data and automated systems shall be done by shredding, burning, or, in the case of tapes or discs, degaussing, in accordance with regulations of the General Services Administration or other appropriate authority.

[71 FR 6375, Feb. 8, 2006, as amended at 84 FR 22945, May 21, 2019]


Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.